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Abstract 

Baker and Cirinei introduced an exact but naive algo- 
rithm $3$, based on solving a state reachability problem in 
a finite automaton, to check whether sets of sporadic hard 
real-time tasks are schedulable on identical multiproces- 
sor platforms. However, the algorithm suffered from poor 
performance due to the exponential size of the automaton 
relative to the size of the task set. In this paper, we suc- 
cessfully apply techniques developed by the formal verifi- 
cation community, specifically antichain algorithms 4771/ . 
by defining and proving the correctness of a simulation 
relation on Baker and Cirinei' s automaton. We show our 
improved algorithm yields dramatically improved perfor- 
mance for the schedulability test and opens for many fur- 
ther improvements. 

1. Introduction 

In this research we consider the schedulability prob- 
lem of hard real-time sporadic constrained deadline task 
systems upon identical multiprocessor platforms. Hard 
real-time systems are systems where tasks are not only 
required to provide correct computations but are also re- 
quire to adhere to strict deadlines 1 16 1. 

Devising an exact schedulability criterion for sporadic 
task sets on multiprocessor platforms has so far proven 
difficult due to the fact that there is no known worst case 
scenario (nor critical instant). It was notably shown in lfT4l 
that the periodic case is not necessarily the worst on mul- 
tiprocessor systems. In this context, the real-time com- 
munity has mainly been focused on the development of 
sufficient schedulability tests that correctly identify all un- 
schedulable task sets, but may misidentify some schedula- 
ble systems as being unschedulable |2| using a given plat- 
form and scheduling policy (see e.g. OH]). 

Baker and Cirinei introduced the first correct algo- 
rithm 1 3 1 that verified exactly whether a sporadic task sys- 
tem was schedulable on an identical multiprocessor plat- 
form by solving a reachability problem on a finite state 



automaton using a naive brute-force algorithm, but it suf- 
fered from the fact that the number of states was expo- 
nential in the size of the task sets and its periods, which 
made the algorithm intractable even for small task sets 
with large enough periods. 

In this paper, we apply techniques developed by 
the formal verification community, specifically Doyen, 
Raskin et al. [11 9 1 who developed faster algorithms to 
solve the reachability problem using algorithms based on 
data structures known as antichains. Their method has 
been shown to be provably better ifTTI than naive state 
traversal algorithms such as those used in [3] for decid- 
ing reachability from a set of initial states to a given set of 
final states. 

An objective of this work is to be as self-contained 
as possible to allow readers from the real-time commu- 
nity to be able to fully understand the concepts borrowed 
from the formal verification community. We also hope 
our work will kickstart a "specialisation" of the methods 
presented herein within the realm of real-time scheduling, 
thus bridging the two communities. 



Related work. This work is not the first contribution 
to apply techniques and models first proposed in the set- 
ting of formal verification to real-time scheduling. In 
the field of operational research, Abdeddaim and Maler 
have studied the use of stopwatch automata to solve job- 
shop scheduling problems [1]. Cassez has recently ex- 
ploited game theory, specifically timed games, to bound 
worst-case execution times on modern computer archi- 
tectures, taking into account caching and pipelining |8|. 
Fersman et al. have studied a similar problem and in- 
troduced task automata which assume continuous time 
021, whereas we consider discrete time in our work. 
They showed that, given selected constraints, schedula- 
bility could be undecidable in their model. Bonifaci and 
Marchetti-Spaccamela have studied the related problem of 
feasibility of multiprocessor sporadic systems in [6] and 
have established an upper bound on its complexity. 



This research. We define a restriction to constrained 
deadlines (systems where the relative deadline of tasks is 
no longer than their minimal interarrival time) of Baker 
and Cirinei's automaton in a more formal way than in Q. 
We also formulate various scheduling policy properties in 
the framework of this automaton such as memory lessness. 

Our main contribution is the design and proof of cor- 
rectness of a non-trivial simulation relation on the au- 
tomaton, required to successfully apply a generic algo- 
rithm developed in the formal verification community, 
known as an antichain algorithm to Baker and Cirinei's 
automaton to prove or disprove the schedulability of a 
given sporadic task system. 

Finally, we will show through implementation and ex- 
perimental analysis that our proposed algorithm outper- 
forms Baker and Cirinei's original brute-force algorithm. 

Paper organization. Section [2] defines the real-time 
scheduling problem we are focusing on, i.e. devising an 
exact schedulability test for sporadic task sets on identi- 
cal multiprocessor platforms. Section[3]will formalize the 
model (a non-deterministic automaton) we will use to de- 
scribe the problem and we formulate how the schedula- 
bility test can be mapped to a reachability problem in this 
model. We also formalize various real-time scheduling 
concepts in the framework of our formal model. 

Section|4]then discusses how the reachability problem 
can be solved. We present the classical breadth-first al- 
gorithm used in [3 1 and we introduce an improved algo- 
rithm that makes use of techniques borrowed from the for- 
mal verification community [llj. The algorithm requires 
coarse simulation relations to work faster than the stan- 
dard breadth-first algorithm. Section [5] introduces the idle 
tasks simulation relation which can be exploited by the 
aforementioned algorithm. 

Section[6]then showcases experimental results compar- 
ing the breadth-first and our improved algorithm using the 
aforementioned simulation relation, showing that our al- 
gorithm outperforms the naive one. Section [7] concludes 
our work. Appendix |A| gives a detailed proof of a lemma 
we use in Section |4] 

2. Problem definition 

We consider an identical multiprocessor platform with 
m processors and a sporadic task set r = {n , T2, . . . , r„}. 
Time is assumed to be discrete. A sporadic task Tj is char- 
acterized by a minimum interarrival time T± > 0, a rel- 
ative deadline Di > and a worst-case execution time 
(also written WCET) d > 0. A sporadic task r s ; submits a 
potentially infinite number of jobs to the system, with each 
request being separated by at least Tj units of time. We 
will assume jobs are not parallel, i.e. only execute on one 
single processor (though it may migrate from a processor 
to another during execution). We also assume jobs are in- 
dependent. We wish to establish an exact schedulability 
test for any sporadic task set r that tells us whether the set 



is schedulable on the platform with a given deterministic, 
predictable and preemptive scheduling policy. In the re- 
mainder of this paper, we will assume we only work with 
constrained deadline systems (i.e. where Wj : Di T,) 
which embody many real-time systems in practice. 

3. Formal definition of the Baker-Cirinei au- 
tomaton 

Baker and Cirinei's automaton as presented in [3 1 mod- 
els the evolution of an arbitrary deadline sporadic task set 
(with a FIFO policy for jobs of a given task) scheduled on 
an identical multiprocessor platform with m processors. 
In this paper, we focus on constrained deadline systems as 
this hypothesis simplifies the definition of the automaton. 
We expect to analyze Baker and Cirinei's more complete 
construct in future works. 

The model presented herein allows use of preemp- 
tive, deterministic and predictable scheduling policies. It 
can, however, be generalized to model broader classes of 
schedulers. We will discuss this aspect briefly in Sec- 
tion 

Definition 1. An automaton is a tuple A = (V, E, Sq,F), 
where V is a finite set of states, E C V x V is the set of 
transitions, So G V is the initial state and FC V is a set 
of target states. 

The problem on automata we are concerned with is that 
of reachability (of target states). A path in an automaton 
A = (V, E, Sq, F) is a finite sequence Vi, . . . ,vg of states 
s.t. for all 1 < i I - 1: (v i} v i+1 ) G E. Let V C V 
be a set of states of A. If there exists a path vi , . . . , vg in 
A s.t. V£ G V, we say that v± can reach V. Then, the 
reachability problem asks, given an automaton A whether 
the initial state So can reach the set of target states F. 

Let r = {tx, t 2 , . . . ,r n } be a set of sporadic tasks 
and m be a number of processors. This section is de- 
voted to explaining how to model the behaviour of such 
a system by means of an automaton A, and how to reduce 
the schedulability problem of t on m processors to an in- 
stance of the reachability problem in A. At any moment 
during the execution of such a system, the information 
we need to retain about each task n are: (t) the earliest 
next arrival time nat(r,) relative to the current instant and 
(it) the remaining processing time rct(rj) of the currently 
ready job of r,-. Hence the definition of system state: 

Definition 2 (System states). Let r = {ti,T2, . . . ,r n } 
be a set of sporadic tasks. A system state of r is a tu- 
ple S — (nat,g,rcts) where nats is a function from r 

def 

to {0, 1, . . . T max } where T max = maxj T i7 and rct s is 

def 

a function from t to {0, 1, ... , C max }, where C max = 
maxi Ct. We denote by States (r) the set of all system 
states of t. 

In order to define the set of transitions of the automa- 
ton, we need to rely on ancillary notions: 



Definition 3 (Eligible task). A task n is eligible in the 
state S if it can submit a job (i.e. if and only if the task 
does not currently have an active job and the last job was 
submitted at least T j; time units ago) from this configura- 
tion. Formally, the set of eligible tasks in state S is: 

Eligible(S) = {r i |nats(r i )=rct s (r i )=0} 

Definition 4 (Active task). A task is active in state S if 
it currently has a job that has not finished in S. Formally, 
the set of active tasks in S is: 

Active(S) = fa | rct s fa) > 0} 

A task that is not active in S is said to be idle in S. 

Definition 5 (Laxity [3 1). The laxity of a task r, in a sys- 
tem state S is: 

def 

laxity s fa) = nat s fa) - (T- - A) - rctsfa) 

Definition 6 (Failure state). A state S is a failure state iff 
the laxity of at least one task is negative in S. Formally, 
the set of failure states on r is: 

Fail T = {S | 3rt G t : laxity s fa) < 0} 

Thanks to these notions we are now ready to explain 
how to build the transition relation of the automaton that 
models the behaviour of r. For that purpose, we first 
choose a scheduler. Intuitively, a scheduler is a function^ 
Run that maps each state S to a set of at most m active 
tasks Run(S) to be run: 

Definition 7 (Scheduler). A (deterministic) scheduler for 
r on m processors is a function Run : States (r) — > 2 T s.t. 
for all S: Run(S) C Active(S) and < |Run(S)| < m. 
Moreover: 

1. Run is work-conserving iff for all S, |Run(S)| = 
min{rn, |Active(S)|} 

2. Run is memoryless iff for all Si, 52 G States (r) 
with Active(Si) = Active(5 2 ): 

Vr, G Active(Si) : ( ^sAn) = n^ 2 {f \ 
\ A ret Sl [Ti) = ret s 2 fa;) J 
implies Run(Si) = Run(S2) 

Intuitively, the work-conserving property implies that 
the scheduler always exploits as many processors as avail- 
able. The memoryless property implies that the decisions 
of the scheduler are not affected by tasks that are idle and 
that the scheduler does not consider the past to make its 
decisions. 

As examples, we can formally define the preemptive 
global DM and EDF schedulers. 

'Remark that by modeling the scheduler as a function, we restrict 
ourselves to deterministic schedulers. 



Definition 8 (Preemptive global DM scheduler). Let i = 
min{m, |Active(S)|}. Then, RuriDM is a function that 

computes Run DM (S) = f {r^, n 2 , . . . , T it } s.t. for all 
1 ^ j ^ £ and for all in Active(S) \ Runoivi(S), we 
have Dk > or Dk = A k > i j . 

Definition 9 (Preemptive global EDF scheduler). Let 

ttds(Ti) natg(rj) — (Tj — Di) be the time re- 
maining before the absolute deadline of the last submit- 
ted job El of n G Active(S) in state S. Let I = f 
min{m, |Active(S)|}. Then, RuriEDF is a function that 
computes Run EDF (S) = f {t^ , r ia , . . . , T it } s.t. for all 1 sC 
j ^ I and for all in Active(S) \ Ru(1edf(S), we have 
ttd s (r fe ) > ttds(r i;) .) orttd s (r fc ) = ttdsfoj Ak>i 3 . 

By Definition [7] global DM and EDF are thus work- 
conserving and it can also be verified that they are mem- 
oryless. In ||3], suggestions to model several other sched- 
ulers were presented. It was particularity shown that 
adding supplementary information to system states could 
allow broader classes of schedulers to be used. Intuitively, 
states could e.g. keep track of what tasks were executed 
in their predecessor to implement non-preemptive sched- 
ulers. 

Clearly, in the case of the scheduling of sporadic tasks, 
two types of events can modify the current state of the 
system: 

1. Clock-tick transitions model the elapsing of time for 
one time unit, i.e. the execution of the scheduler and 
the running of jobs. 

2. Request transitions (called ready transitions in O) 
model requests from sporadic tasks at a given instant 
in time. 

Let S be a state in States (r), and let Run be a sched- 
uler. Then, letting one time unit elapse from S under the 
scheduling policy imposed by Run amounts to decrement- 
ing the ret of the tasks in Run(S) (and only those tasks), 
and to decrementing the nat of all tasks. Formally: 

Definition 10. Let S = (nats,rcts) G States (r) be a 
system state and Run be a scheduler for r on m proces- 
sors. Then, we say that S + = (natg , ret J ) is a clock-tick 

successor of S under Run, denoted S — ^> S + iff: 

1. for all t, G Run(S): rct£ (r<) = rets (re) - 1 ; 

2. for all Ti Run(S): rct^fo) = rets fa) ; 

3. for all Ti G t: natgfa) = maxjnatsfa) — 1,0}. 

Let S be a state in States (r). Intuitively, when the sys- 
tem is in state S, a request by some task Tj for submitting 
a new job has the effect to update S by setting natfa) to 
Ti and ret fa) to Cj. This can be generalised to sets of 
tasks. Formally: 



Definition 11. Let S G States (t) be a system state and 
let t' C Eligible(S) be a set of tasks that are eligible to 
submit a new job in the system. Then, we say that 5" is a 

t' -request successor of S, denoted S S', iff: 
1. for all Tj € r': nat,g/(Tj) = Tj and rcts/(rj) = 

nats(ri) and 



2. for all r, 

rCt S ;(Tj) 



G r \ t'\ nats'(rj) 
= rcts(ri). 



Remark that we allow t' = (that is, no task asks to 
submit a new job in the system). 

We are now ready to define the automaton A(t, Run) 
that formalises the behavior of the system of sporadic 
tasks r, when executed upon m processors under a 
scheduling policy Run: 

Definition 12. Given a set of sporadic tasks r and a sched- 
uler Run for r on m processors, the automaton A(t, Run) 
is the tuple (V, E, S ,F) where: 

1. V = States (r) 

2. (Si, £2) G E iff there exists S' G States (r) and 
r'Crs.t. Si^S>^S 2 . 



3. So = (nato,rct ) where for all Tj G t, nato(rj) = 
rct (n) = 0. 

4. F= Fail T 

Figure [1] illustrates a possible graphical representation 
of one such automaton, which will be analyzed further in 
Section[5] On this example, the automaton depicts the fol- 
lowing EDF-schedulable sporadic task set using an EDF 
scheduler and assuming m = 2: 
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System states are represented by nodes. For the pur- 
pose of saving space, we represent a state S with the 
[a/3,7<5] format, meaning nats(ri) = a, rcts(ri) = f3, 
nats(T 2 ) = 7 and rcts(T 2 ) = 8. We explicitly represent 
clock-tick transitions by edges labelled with Run, and r'- 
request transitions by edges labelled with r'. r' = loops 
are implicit on each state. Note that, in accordance with 
Definition 12 there are no successive r'-request transi- 
tions, and there are thus no such transitions from states 
such as [21, 00] and [00, 32]. Also note that the automa- 
ton indeed models the evolution of a sporadic system, of 
which the periodic case is one possible path (the particu- 
lar case of a synchronous system is found by taking the 
maximal r'-request transition whenever possible, starting 
from [00,00]). 

We remark that our definition deviates slightly from 
that of Baker and Cirinei. In our definition, a path in the 
automaton corresponds to an execution of the system that 
alternates between requests transitions (possibly with an 
empty set of requests) and clock- tick transitions. In their 



work |3 |, Baker and Cirinei allow any sequence of clock 
ticks and requests, but restrict each request to a single task 
at a time. It is easy to see that these two definitions are 
equivalent. A sequence of k clock ticks in Baker's au- 
tomaton corresponds in our case to a path Si, S2, ■ ■ ■ Sk+i 

s.t. for all 1 ^ i ^ k: Si — > Si > Sj+i. A max- 
imal sequence of successive requests by r l7 r 2 , . . . , r^, 
followed by a clock tick corresponds in our case to a 



single edge (Si,S 2 ) s.t. Si 



{ri,...,T fc } 



> S' 



Run 



S 2 for 

some S'. Conversely, each edge (Si, S 2 ) in A(t, Run) s.t. 

Si -^-> S' S 2 , for some state S' and set of tasks 

t' = {n, . . . , 77}, corresponds to a sequence of succes- 
sive requests^] by Tj.,..., followed by a clock tick in 
Baker's setting. 

The purpose of the definition of A(t, Run) should now 
be clear to the reader. Each possible execution of the sys- 
tem corresponds to a path in A(t, Run) and vice-versa. 
States in Fail r correspond to states of the system where 
a deadline will unavoidably be missed. Hence, the set of 
sporadic tasks r is feasible under scheduler Run on m 
processors iff Fsl\\ t is not reachable in A(t, Run) |3|. Un- 
fortunately, the number of states of A(t, Run) can be in- 
tractable even for very small sets of tasks r. In the next 
section we present generic techniques to solve the reach- 
ability problem in an efficient fashion, and apply them to 
our case. Experimental results given in Section|6]demon- 
strate the practical interest of these methods. 

4. Solving the reachability problem 

Let us now discuss techniques to solve the reachability 
problem. Let A = (V, E, So, F) be an automaton. For 
any S eV, let Succ (S) = {S' | (S, S') G E} be the set 
of one-step successors of S. For a set of states R, we let 
Succ (R) = Usei?Succ (S). Then, solving the reachabil- 
ity problem on A can be done by a breadth-first traversal 
of the automaton, as shown in Algorithm [T] 

Algorithm 1: Breadth-first traversal. 

1 begin 

2 i ; 

3 R <- {So} ; 

4 repeat 

5 i i + 1 ; 

6 Ri 4- Ri_i U Succ (R4-1) ; 

7 if Ri n F ^ then return Reachable ; 

8 until Ri = R4-1; 

9 return Wot reachable: 



Intuitively, for all i ^ 0, Ri is the set of states that are 
reachable from So in i steps at most. The algorithm com- 
putes the sets Ri up to the point where (i) either a state 
from F is met or (it) the sequence of Ri stabilises be- 
cause no new states have been discovered, and we declare 



Remark that the order does not matter. 



F to be unreachable. This algorithm always terminates 
and returns the correct answer. Indeed, either F is reach- 
able in, say k steps, and then Rk F ^ 0, and we return 
'Reachable'. Or F is not reachable, and the sequence 
eventually stabilises because Rq C R 1 C R 2 C • • ■ C V, 
and V is a finite set. Then, we exit the loop and re- 
turn 'Not reachable'. Remark that this algorithm has 
the advantage that the whole automaton does not need be 
stored in memory before starting the computation, as Def- 
inition 10 and Definition 1 1 allow us to compute Succ (S) 



on the fly for any state S. Nevertheless, in the worst case, 
this procedure needs to explore the whole automaton and 
is thus in 0(\ V\) which can be too large to handle in prac- 
tice 0. 

Equipped with such a simple definition of automaton, 
this is the best algorithm we can hope for. However, in 
many practical cases, the set of states of the automaton 
is endowed with a strong semantic that can be exploited 
to speed up Algorithm [T] In our case, states are tuples 
of integers that characterise sporadic tasks running in a 
system. To harness this information, we rely on the formal 
notion of simulation: 

Definition 13. Let A = (V, E, Sq, F) be an automaton. 
A simulation relation for A is a preorder V x V s.t.: 

1. For all Si, S 2 , S 3 s.t. (51,52) G E and S 3 ^ Si, 
there exists S 4 s.t. (S3, S 4 ) G E and S 4 fc= S 2 . 

2. For all Si, S 2 s.t. Si ^ S 2 : S 2 G F implies Si G F. 

Whenever Si )p S 2 , we say that Si simulates S 2 . When- 
ever Si )p S 2 but S 2 ^ Si, we write Si >~ S 2 . 

Intuitively, this definition says that whenever a state S3 
simulates a state Si, then S3 can mimick every possible 
move of Si by moving to a similar state: for every edge 
(Si,S 2 ), there is a corresponding edge (S3,S 4 ), where 
S 4 simulates S 2 . Moreover, we request that a target state 
can only be simulated by a target state. Remark that for a 
given automaton there can be several simulation relations 
(for instance, equality is always a simulation relation). 

The key consequence of this definition is that if S 2 is 
a state that can reach F, and if S 4 )p S 2 then Si can 
reach F too. Indeed, if S 2 can reach F, there is a path 
vq, vi, . . . , v n with vq = S 2 and v n G F. Using Defini- 
tion 13 we can inductively build a path v' ,v' 1 , . . . ,v' n s.t. 
v' = Si and v[ Vi for all i ^ 0. Thus, in particular 
v 'n Mn £ f > hence v' n G F by Definition 13 This 



means that Si can reach F too. Thus, when we compute 
two states Si and S 2 with Si )p S 2 , at some step of Algo- 
rithm [T] we do not need to further explore the successors 
o/S 2 . Indeed, Algorithm [T] tries to detect reachable tar- 
get states. So, if S 2 cannot reach a failure state, it is safe 
not to explore its succesors. Otherwise, if S 2 can reach 
a target state, then Si can reach a target state too, so it is 
safe to explore the successors of Si only. By exploiting 
this heuristic, Algorithm [T] could explore only a (small) 
subset of the states of A, which has the potential for a 



dramatic improvement in computation time. Remark that 
such techniques have already been exploited in the setting 
of formal verification, where several so-called antichains 
algorithms have been studied ll9l fTT|[T3l and have proved 
to be several order of magnitudes more efficient than the 
classical techniques of the literature. 

Formally, for a set of states V C V, we let 
Max^ (V) = {S G V I $S' G V with S' >■ S}. In- 
tuitively, Max^ (V') is obtained from V' by removing all 
the states that are simulated by some other state in V . So 
the states we keep in Max^ (V 1 ) are irredundanj^] wrt >p. 
Then, we consider Algorithm[2]which is an improved ver- 
sion of Algorithm[T] 

Aigorithm 2: Improved breadth-first traversal. 

1 begin 

2 i <- ; 

3 R <- {S } ; 

4 repeat 

5 i i + 1 ; 

6 R t <- R4-1 U Succ \ Ri-ij ; 

7 Ri <- Max^ (R^j ; 

if Ri n F ^ then return Reachable ; 

9 until Ri = R4-1; 

10 return Wot reachable; 



Proving the correctness and termination of Algorithm[2] 
is a little bit more involved than for Algorithm[T]and relies 
on the following lemma (proof in appendix): 

Lemma 14. Let A be an automaton and let !>= be a sim- 
ulation relation for A. Let Rq, Ri, . . . and Rq, Ri, . . . 
denote respectively the sequence of sets computed by Al- 
gorithm [7] and Algorithm [2] on A. Then, for all i ^ 0: 
Ri = Max^ (Ri). 

Intuitively, this means that some state S that is in Ri 
could not be present in Ri, but that we always keep in Ri 
a state S' that simulates S. Then, we can prove that: 

Theorem 15. For all automata A — (V, E, Sq, F), Al- 
gorithm^terminates and returns "Reachable" iff F is 
reachable in A. 

Proof. The proof relies on the comparison between the 
sequence of sets Rq,Ri, . . . computed by Algorithm [T] 
(which is correct and terminates) and the sequence 
Rq, Ri, . . . computed by Algorithm u\ 

Assume F is reachable in A in k steps and not reach- 
able in less than k steps. Then, there exists a path 
Vq, Vi, . . . Vk with vq = Sq, Vk G F, and, for all ^ i ^ k 
Vi G Rk- Let us first show per absurdum that the loop in 
Algorithm[2]does not finish before the fcth step^ Assume it 
is not the case, i.e. there exists < I < k s.t. Rg = Rt-\. 



They form an antichain of states wrt )p. 



1ax^ (R e 



i) through 
we deduce that all the 



This implies that Max^ (Re) = 
Lemma 14 Since Re 7^ Ri-i 
states that have been added to Re are simulated by some 
state already present in Re~i'- for all S G Re, there is 
S' G Re-i s.t. S' >p S. Thus, in particular, there is 
S' G Ri-i s.t. S' fc= We consider two cases. Ei- 
ther there is 5' G -R^-i s.t. S' )p Vk- Since G F, 
F n 7^ 0, which contradicts our hypothesis that 

F is not reachable in less than k steps. Otherwise, let 
^ m < k be the least position in the path s.t. there is 
S' G R4-1 with S' )p v m , but there is no S" G 
with 5" ^= Wm+i- In this case, since 5" fc= w m and 
("mt"m+i) G there is 5 € Succ(S') C i?^ s.t. 
5 )p v m+ i. However, we have made the hypothesis 
that every element in Re is simulated by some element 
in Ri-l Thus, there is 5"' G Re-i s.t. S" fc= S. Since 
S )p v m+ i, we deduce that S" )p w m +i, with S" G Re-i, 
which contradicts our assumption that S" £ Rt-i- Thus, 
Algorithm [2] will not stop before the /cth iteration, and we 
know that there is Sp G Rk s.t. Sp G F. By Lemma [T4 
i? fe = Max^ (R k ), hence there is S' G F fc s.t. 5" ^= 5. By 
~ 5' G F since 5 G F. Hence, R k (l F =/= 



13 



Definition 

and Algorithm [2] terminates after k steps with the correct 
answer. 

Otherwise, assume F is not reachable in A. Hence, for 
every i > 0, R t HF = 0. Since R t C F ( for all i ^ 0, 
we conclude that i?j n F = for all i ^ 0. Hence, Algo- 
rithm U] never returns "Reachable" in this case. It re- 
mains to show that the repeat loop eventually terminates. 
Since F is not reachable in A, there is k s.t. Rk = Rk-i ■ 

this 



14 



Hence, Max*" (R k ) = Max^ (Rk-i). By Lemma 
implies that F& = Rk-i- Thus, Algorithm^finishes after 
k steps and returns "Not reachable". □ 

In order to apply Algorithm |2j it remains to show how 
to compute a simulation relation, which should contain 
as many pairs of states as possible, since this raises the 
chances to avoid exploring some states during the breadth- 
first search. It is well-known that the largest simulation 
relation of an automaton can be computed in polynomial 
time wrt the size of the automaton [15|. However, this 
requires first computing the whole automaton, which is 
exactly what we want to avoid in our case. So we need to 
define simulations relations that can be computed a priori, 
only by considering the structure of the states (in our case, 
the functions nat and ret). This is the purpose of the next 
section. 

5. Idle tasks simulation relation 

In this section we define a simulation relation ^idie, 
called the idle tasks simulation relation that can be com- 
puted by inspecting the values nat and ret stored in the 
states. 

Definition 16. Let r be a set of sporadic tasks. Then, the 
idle tasks preorder ^idie*— States (r) x States (r) is s.t. 
for all Sx,S 2 : Si ^ id ie S 2 iff 



1. ret = rcts 2 ; 

2. for all n s.t. rct Sl (n) = 0: nat Sl (n) < nats 2 (n) ; 

3. for all n s.t. rct^n) > 0: nat^n) = nat^n). 

Notice the relation is reflexive as well as transitive, 
and thus indeed a preorder. It also defines a partial or- 
der on States (r) as it is antisymmetric. Moreover, since 
Si ^idie S2 implies that rcts 1 = rcts 2 , we also have 
Active(Si) = Active(S 2 ). Intuitively, a state Si simu- 
lates a state S2 iff (i) Si and S 2 coincide on all the active 
tasks (i.e., the tasks r j; s.t. ictg 1 (rj) > 0), and (ii) the nat 
of each idle task is not larger in Si than in S%. Let us show 
that this preorder is indeed a simulation relation when we 
consider a memoryless scheduler (which is often the case 
in practice): 

Theorem 17. Let t be a set of sporadic tasks and let 
Run be a memoryless (deterministic) scheduler for r on 
m processors. Then, )pidie is a simulation relation for 
A(r, Run). 

Proof. Let Si, S[ and S2 be three states in States (r) s.t. 
(Si, S'i) G E and S2 >Fidie Si, and let us show that there 
exists S 2 G States (r) with (S 2 ,S 2 ) G F and S 2 )p ld i e 
S'i- 

Since (Si,Si) G F, there exists Si and r' C r s.t. 

Si A- Si ^ S[, by Definition [12] Let S 2 be the 

(unique) state s.t. S 2 — > S 2 , and let us show that S 2 ^idie 
Si: 

1. for all Ti G t'\ rctg (tj) = Ci = rctg (rj). For 
all t, t'\ rctg^Ti) = rct Sl (rj), ictg^n) = 
rcts 2 (r 4 ), and, since S 2 ^ ld i e Si: rctsifa) = 
rcts 2 (t^. Thus we conclude that rcfrg = rctg 2 . 

2. Let Ti be s.t. rct^ i (t^) = 0. Then, we must have Tj ^ 
t 1 . In this case, natg i (r,) = natgj (rj), nat^ 2 (r^) = 
natg a (ri), and, since S 2 ^idie Si, nat S2 (rj) < 
nat^ (Ti). Hence, nat^ 2 (r i ) ^ natg (rj). We 
conclude that for every r, s.t. rct^ (rj) = 0: 
natg 2 (ri) natg^n) 

3. By similar reasoning, we conclude that, for all s.t. 

tctg^Ti) > 0: natg^Tj) = na% 2 (T l ) 



Then observe that, by Definition 13 S 2 )pidie Si im- 
plies that Active(Si) = Active(S 2 ). Let Tj be a task in 
Active(Si), hence rctg (ri) > 0. In this case, and since 
S2 ^id/e Si, we conclude that rct^ i (rj) = rctg 2 (t^) and 
natg (rj) = natg 3 (rj). Thus, since Run is memoryless 
by hypothesis, Run(Si) = Run(S 2 ), by Definition[7] Let 

S 2 be the unique state s.t. S 2 — ^> S 2 , and let us show 
that S 2 ^i d/e S(: 



rctc ■ 
02 



1. Since S 2 ^idje Si, we know that rct^ 

Let Ti be a task in Run (Si) = Run(S 2 ). By Defini 



tion 10 rets/ (n) = rct^^Tj) - 1 and rct S /(ri) 



r(% 2 (Tj) - 1. Hence, tcts'^n) = rct^/fa). For a 
task Ti $l Run(5i) = Run(S f 2), we have rctgj(Ti) = 
rc % 1 ( r ») and Ict s' 2 ( T i) = rc% 2 (r 4 ), again by Def- 
inition fTol Hence, ret (Ti) — rctg^(ri). We con- 
clude that ret 5 j = ret 5^. 

2. Let ^ be a task s.t. rctg'(rj) = 0. By Defini- 



tion 

natw 



10 



ft 



mition 

and nat S; 
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natg^ft) = max{0, nat^ ft) — 1} and 
I = max{0, natg (Ti) — 1}. However, since 
S2 ^idie Si, we know that nat^ft,) < na% 2 (r,-). 
We conclude that natg/ ftj) ^ nats 2 ftj). 

3. Let Ti be a task s.t. rctsj(Ti) > 0. By Def- 
nat S ;fti) = max{0, nat^ (n) - 1} 
'fa) — max{0, nat^ 2 (t^) — 1}. Since 
ret s[(Ti) > 0, we have rct^^Ti) > too, since 
ret can only decrease with time elapsing. Since 
Si ^idie S 2 we have also nat^n) = nat^ftj). 
We conclude that natgj fti) = nat5 2 (Tj). 

To conclude the proof it remains to show that, if 
S2 Vidie Si and Si G Fail r then S 2 G Fail T too. Let 
t 4 be a task s.t laxity Sl (r,-) = nat^fo) - (Ti - A) - 
rctsi(n) < 0. Since S 2 ^ id ie Si: rct S2 (Ti) = rct^ft,-), 
and nats 2 (n) < nats^fti). Hence, laxity $ 2 ( T i) = 
natg 2 (Ti) - (Ti - Di) - rcts^T,) < laxity Sl ft;) < 0, 
and thus, S2 G Fail T . 

□ 



Note that Theorem 17 does not require the scheduler 



to be work-conserving. Theorem 17 tells us that any state 
where tasks have to wait until their next job release can be 
simulated by a corresponding state where they can release 
their job earlier, regardless of the specifics of the schedul- 
ing policy as long as it is deterministic, predictable and 
memoryless, which is what many popular schedulers are 
in practice, such as preemptive DM or EDF. 

Figure [T] previously presented in Section [2] illustrates 
the effect of using )p=idi e with Algorithm [2] If a state Si 
has been encountered previously and we find another state 
52 such that Si )?=idle S2, then we can avoid exploring S2 
and its successors altogether. However, note that this does 
not mean we will never encounter a successor of S2 as 
they may be encountered through other paths (or indeed, 
may have been encountered already). 

6. Experimental results 

We implemented both Algorithm [T] (denoted BF) and 
Algorithm|2](denoted ACBF for "antichain breadth-first") 
in C++ using the STL and Boost libraries 1 .40.0. We ran 
head-to-head tests on a system equipped with a quad-core 
3.2 GHz Intel Core i7 processor and 12 GB of RAM run- 
ning under Ubuntu Linux 8.10 for AMD64. Our programs 
were compiled with Ubuntu's distribution of GNU g++ 
4.4.5 with flags for maximal optimization. 

We based our experimental protocol on that used 
in 0. We generated random task sets where task min- 
imum interarrival times T were uniformly distributed 




Figure 1 . Algorithm |2]exploits simulation re- 
lations to avoid exploring states needlessly. 
With )^ ldle on this small example, all grey 
states can be avoided as they are simulated 
by another state (e.g. [00,21] ^ ldle [10,21] 
and [00, 00] ^ ld ie [10, 10]). 



in {1,2,..., T max }, task WCETs Ci followed an expo- 
nential distribution of mean 0.35 T and relative dead- 
lines were uniformly distributed in {Ci, . . . ,T}. Task 
sets where n ^ m were dropped as well as sets where 
'}2 i Ci/Ti > m. Duplicate task sets were discarded as 
were sets which could be scaled down by an integer fac- 
tor. We used EDF as scheduler and simulated m — 2 for 
all experiments. Execution times (specifically, used CPU 
time) were measured using the C clock ( ) primitive. 

Our first experiment used T max = 6 and we gener- 
ated 5,000 task sets following the previous rules (of which 
3,240 were EDF-schedulable). Figure [2] showcases the 
performance of both algorithms on these sets. The number 
of states explored by BF before halting gives a notion of 
how big the automaton was (if no failure state is reachable, 
the number is exactly the number of states in the automa- 
ton that are reachable from the initial state; if a failure state 
is reachable, BF halts before exploring the whole system). 
It can be seen that while ACBF and BF show similar per- 
formance for fairly small systems (roughly up to 25,000 
states), ACBF outperforms BF for larger systems, and we 
can thus conclude that the antichains technique scales bet- 
ter. The largest system analyzed in this experiment was 
schedulable (and BF thus had to explore it completely), 
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Figure 2. States explored by BF before halt 
vs. execution time of BF and ACBF (5,000 
task sets with T max = 6). 



contained 277,8 1 1 states and was handled in slightly less 
than 2 hours with BF, whereas ACBF clocked in at 4 min- 
utes. 

Figure[3]shows, for the same experiment, a comparison 
between explored states by BF and ACBF. This compar- 
ison is more objective than the previous one, as it does 
not account for the actual efficiency of our crude imple- 
mentations. As can be seen, the simulation relation al- 
lows ACBF to drop a considerable amount of states from 
its exploration as compared with BF: on average, 70.8% 
were avoided (64.0% in the case of unschedulable systems 
which cause an early halt, 74.5% in the case of schedula- 
ble systems). This of course largely explains the better 
performance of ACBF, but we must also take into account 
the overhead due to the more complex algorithm. In fact, 
we found that in some cases, ACBF would yield worse 
performance than BF. However, to the best of our knowl- 
edge, this only seems to occur in cases where BF took rel- 
atively little time to execute (less than five seconds) and is 
thus of no concern in practice. 

Our second experiment used 5,000 randomly generated 
task sets using T max = 8 (of which 3,175 were schedula- 
ble) and was intended to give a rough idea of the limits 
of our current ACBF implementation. Figure [4] plots the 
number of states explored by ACBF before halting ver- 
sus its execution time. We can first notice the plot looks 
remarkably similar to BF in Figure|2] which seems to con- 
firm the exponential complexity of ACBF which we pre- 
dicted. The largest schedulable system considered neces- 
sitated exploring 198,072 states and required roughly 5.5 
hours. As a spot-check, we ran BF on a schedulable sys- 
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Figure 3. States explored by BF before halt 
vs. states explored by ACBF before halt 
(5,000 task sets with T raax = 6). 
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Figure 4. States explored by ACBF before 
halt vs. ACBF execution time (5,000 task 
sets with T max = 8). 



tem where ACBF halted after exploring 14,754 states in 
78 seconds; BF converged after just over 6 hours, explor- 
ing 434,086 states. 

Our experimental results thus yield several interesting 
observations. The number of states explored by ACBF 
using the idle tasks simulation relation is significantly 
less on average than BF. This gives an objective metric 
to quantify the computational performance gains made 
by ACBF wrt BF. In practice using our implementation, 
ACBF outperforms BF for any reasonably-sized automa- 
ton, but we have seen that while our current implemen- 
tation of ACBF defeats BF, it gets slow itself for slightly 
more complicated task sets. However, we expect smarter 
implementations and more powerful simulation relations 
to push ACBF much further. 

7. Conclusions and future work 

We have successfully adapted a novel algorithmic tech- 
nique developed by the formal verification community, 
known as antichain algorithms OUT], to greatly improve 
the performance of an existing exact schedulability test 
for sporadic hard real-time tasks on identical multipro- 
cessor platforms 0. To achieve this, we developed and 
proved the correctness of a simulation relation on a formal 
model of the scheduling problem. While our algorithm 
has the same worst-case performance as a naive approach, 
we have shown experimentally that our preliminary im- 
plementation can still outperform the latter in practice. 

The model introduced in Section [3] yields the added 
contribution of bringing a fully formalized description of 
the scheduling problem we considered. This allowed us 
to formally define various scheduling concepts such as 
memorylessness, work-conserving scheduling and various 
scheduling policies. These definitions are univocal and 
not open to interpretation, which we believe is an impor- 
tant consequence. We also clearly define what an execu- 
tion of the system is, as any execution is a possibly infinite 
path in the automaton, and all possible executions are ac- 
counted for. 

We expect to extend these results to the general Baker- 
Cirinei automaton which allows for arbitrary deadlines in 
due time. We chose to focus on constrained deadlines in 
this paper mainly because it simplified the automaton and 
made our proofs simpler, but we expect the extension to 
arbitrary deadlines to be fairly straightforward. We also 
only focused on developing/onvaraf simulations, but there 
also exist antichain algorithms that use backward simula- 
tions ifTTl . It would be interesting to research such rela- 
tions and compare the efficiency of those algorithms with 
that presented in this paper. 

The task model introduced in Section [2] can be further 
extended to enable study of more complex problems, such 
as job-level parallelism and semi-partitioned scheduling. 
The model introduced in Section [3] can also be extended 
to support broader classes of schedulers. This was briefly 
touched on in [3|. For example, storing the previous 



scheduling choice in each state would allow modelling of 
non-preemptive schedulers. 

It has not yet been attempted to properly optimize our 
antichain algorithm by harnessing adequate data struc- 
tures; our objective in this work was primarily to get a 
preliminary "proof-of-concept" comparison of the perfor- 
mance of the naive and antichain algorithms. Adequate 
implementation of structures such as binary decision di- 
agrams [7 1 and covering sharing trees [ 1 1 should al- 
low pushing the limits of the antichain algorithm's per- 
formance. 

Antichain algorithms should terminate quicker by us- 
ing coarser simulation preorders. Researching other simu- 
lation preorders on our model, particularily preorders that 
are a function of the chosen scheduling policy, is also key 
to improving performance. Determining the complexity 
class of sporadic task set feasability on identical multi- 
processor platforms is also of interest, as it may tell us 
whether other approaches could be used to solve the prob- 
lem. 

A. Proof of Lemma [14] 

In order to establish the lemma, we first show that, for 
any set B of states, the following holds: 



ax^ (Succ (Max^ (B 



C 



Lemma 18. 

Max^ (Succ (B)). 

Proof. We first show that Max^ (Succ (ivlax^ (B) 

Max^ (Succ (B)). By def of Max^ (B), we know that 
Max^ (£?) C A. Moreover, Succ and Max^ are mono- 
tonic wrt set inclusion. Hence: 

Max^ (B) C B 
=> Succ (Max^ (B)j C Succ (B) 

=> Max^ (Succ (Max^ (B)Y\ C Max^ (Succ (B)) 



Then, we show that Max^ ^Succ (ivlax^ (B 

Max^ (Succ (B)). Let S 2 be a state in Max^ (Succ (£)). 
Let Si G B be a state s.t. (Si,S 2 ) € E. Since, 
S2 G Succ (B), Si always exists. Since Si G B, 
there exists S 3 G Max^ (B) s.t. S 3 )p Si. By Defini- 

1ax^ (B)) s.t. S 4 fc= S 2 . 



tion 
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there is S4 G Succ 
To conclude, let us show per absurdum that S4 is max- 
imal in Succ ^Max^ (B)j. Assume there exists S5 G 

Succ (Max^ (B) \ s.t. S 5 y S 4 . Since Max^ (B) C A, 

S5 is in Succ (B) too. Moreover, since S4 )p S 2 and 
S5 >- S4, we conclude that S5 >- S 2 . Thus, there is, 
in Succ(£>) and element S5 >- S 2 . This contradict our 
hypothesis that S 2 G Max^ (Succ (B)). □ 

Then, we are ready to show that: 



Induction hypotesis we assume that Rk-i = Max^ (Rk). Then: 



Rk 

= Max^ (Rk-i U S 



ucc 



ax^ Max^ U Max^ Succ i? fc _i 



= Max^ ( Max^ ^Max* (i? fc -i))) U Max^ (Succ ^Max^ (R k . 

= Max^ (Max^ (i4_i) U Max^ (Succ (R k -i)) 

= Max* (ifc-iU Succ (Jfc_i)) 

= Max*(ii fe ) 



By def. 

by© 

By I.H. 

By Lemma 18 

By Q 

By def. 



Figure 5. Inductive case for Lemma 19 



Lemma 19. Let A be an automaton and let )p be a sim- 
ulation relation for A. Let Rq,Ri, . . . and Rq, R\, . . . 
denote respectively the sequence of sets computed by Al- 
gorithm [7] and Algorithm [2] on A. Then, for all i ^ 0: 
Ri = Max^ (Ri). 

Proof. The proof is by induction on i. We first observe 
that for any pair of sets B and C, the following holds: 

Max^ (SUC) 
= Max^ (Max^ (B) U Max^ (C)) (1) 

Base case i — Clearly, Max^ (R ) — R since R is a 
singleton. By definition R = R . 

Inductive case i = k See Figure [5] 

□ 
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